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Abstract 

A strategy for detecting control law calculation 
errors in critical flight control computers during 
laboratory validation testing is presented. This paper 
addresses Part I of the detection strategy which involves 
the use of modeling of the aircraft control laws and the 
design of Kalman filters to predict the correct control 
commands. Part II of the strategy which involves the use 
of the predicted control commands to detect control 
command errors is presented in the companion paper. 

1. Introduction 

Verifying the integrity of control computers 
operating in harsh electromagnetic environments is a key 
issue in the development, certification, and operation of 
control systems performing flight critical functions for 
future transport aircraft. Flight-critical systems with high 
reliability specifications will be required on future 
commercial aircraft for critical functions such as stability 
augmentation, flutter suppression, and guidance and 
control. Since these systems are used in critical control 
applications, the problem of verifying the functional 
integrity of the control computer in adverse as well as 
nominal operating environments becomes a key issue. An 
adverse operating environment of particular concern for 
critical aircraft systems is the electromagnetic 
environment (EME) caused by sources such as lightning, 
high-intensity radiated fields (HIRF) associated with radar 
and radio frequency (RF) transmitters, personal electronic 
devices carried onto the aircraft by passengers, 
electromagnetic interference and incompatibilities of 
onboard equipment, onboard or ground-based terrorists 
using RF weapons, and erroneous ground-based or 
airborne military activities in which tracking radars lock 
onto a commercial transport. 

The failure phenomena associated with 
electromagnetically induced transient signals that 
ultimately affect performance and reliability of a digital 
system are collectively known as digital system upset. 
The occurrence of digital system upset in critical flight 
systems can cause catastrophic deviations from the flight 
path of the aircraft that compromise safe flight [1], Upset 
phenomena [2] can interfere with normal operation of the 
processors within a control computer and result in 
degraded performance and reliability at the closed-loop 


system level. Since there are numerous error modes that can 
occur in a digital controller, it is impractical to determine and 
model each of the failure modes and then design a 
corresponding detector. The most practical strategy is to 
model the nominal function of the controller and detect when 
it is not performing nominally. 

One attribute that defines the functional integrity of 
the control computer is the correctness of the control law 
calculation. A strategy has been developed for detecting 
control law calculation errors in critical control computers 
during laboratory validation testing. The detection strategy 
involves the use of a Kalman filter to predict the correct 
control command, and a statistical decision rule to determine 
if the computer's command calculation is correct. Design of 
the Kalman filter requires that the control law calculation be 
modeled as a linear stochastic state equation. 

A model-based monitoring scheme has been chosen 
for the formulation of the design problem because it is 
desired to have the capability of analytically determining the 
performance of the detector. The model developed must 
depict the dynamic variation in the control commands that 
occur over the flight condition of interest, the stochastic 
variation that occurs when the aircraft is subjected to 
atmospheric disturbances and when the measurements are 
noisy, and the uncertainty associated with the tracking of the 
aircraft for each flight. Previous work on detecting computer 
upset includes a processor-level scheme [3], as well as a 
systems-level scheme [4, 5]. The monitor presented in [4, 5] 
is based on linear state space models and was demonstrated 
on the longitudinal control laws of a simulated B737 
Autoland control computer. The work in this paper uses an 
improved simulator, models three control laws, and validates 
the estimation process by checking the model on fifty 
simulations. This paper presents the modeling and estimation 
required to generate the nominal control commands necessary 
for the proper functioning of the malfunction detector. This 
problem is motivated by the need for having a detection 
scheme for application to a laboratory set-up for testing an N- 
redundant fault tolerant control computer. This paper 
addresses the modeling of the control command and the 
design of a Kalman filter for state estimation. This process 
will be demonstrated for the elevator, throttle, and aileron 
control laws of a Boeing 737(B737) Autoland control system 
for landing the aircraft in light clear air turbulence. The flight 
data to be used in this work is generated by a B737 Autoland 



simulator. The formulation for the problem is presented 
in Section 2, the modeling and Kalman filter design 
strategies are presented in Section 3, and examples of the 
strategies as applied to simulated data are presented in 
Section 4. 

2. Problem Formulation 


The objective of the laboratory set-up is to 
determine the susceptibility of the fault tolerant controller 
to upset caused by high-intensity radiated fields (HIRF). 
The primary elements in the laboratory test set-up are: the 
fault tolerant controller, the simulation of the aircraft, 
engines, sensors, and actuators, the HIRF test chamber, 
and the control law calculation malfunction detector. 
Malfunctions in control law calculations result when the 
basic mathematical operations of the processor are 
performed incorrectly. The controller is interfaced to a 
simulation of the aircraft, engines, sensors, and actuators 
in order to assure the operating environment of the 
controller during testing. The controller with N 
processors is placed inside the HIRF test chamber and 
subjected to disturbances that could occur from radars or 
high-power radio transmitters. The controller is 
monitored by the upset detector during testing to 
determine if any of the disturbances causes a controller 
upset. Electrical isolation of electromagnetic disturbances 
inside the HIRF test chamber is achieved using fiber 
optics. The processors in the redundant controller are 
typically asynchronous or loosely synchronized. The 
sensor signals that are input to each processor are 
generated by the plant simulation. It is assumed that each 
processor calculates all control laws, and that the control 
laws of each processor are identical and are implemented 
with the same software. Therefore, one set of models for 
the control law calculations will be developed. This set of 
models will be applicable to each processor. 



The strategy which has been developed for detecting 
control law calculation errors in a critical control computer 
on-line during EME testing is shown in Figure 1 . The system 
parameters must first be calculated. The Kalman filter is then 
designed to generate an on-line prediction of the correct 
system-level calculation. Use of the Kalman filter allows the 
detector to be designed independently of the equations, logic, 
and software implementation in the control computer. It is 
the function of the upset detector to determine whether or not 
the control law calculation is correct. The detector calculates 
the difference between the predicted command from the filter 
and the control law command from the control computer 
under test, and uses a statistical decision rule to determine the 
significance of the difference. It then makes a determination 
as to whether or not the control command calculation is 
correct. 

This paper considers the Model Generator and 
Kalman Filter blocks in Figure 1. The Upset Detector is 
discussed in detail in [2], The design of the Kalman filters 
[6] requires that the control law calculation of the control 
computer be modeled as a discrete state equation. The 
assumed model is of multi-input/single output form [4], and 
is given by: 


x(k + 1) = F(k)x(k) + G(k)u(k) + Q(k)w(k) ( 1 ) 

z(k) = H(k)x(k) + v(k) (2) 


where: x(k) = control law calculation 

F(k) = state transition matrix 
u(k) = input vector to control computer 
G(k) = input matrix 
w(k) = process noise 
Q(k) = process noise scaling matrix 
z(k) = measurement of control law calculation 
H(k) = measurement matrix 
v(k) = measurement noise 
k = number of the time step or frame 


In this paper, bold variables indicate vectors or matrices, and 
the superscript T represents matrix transpose. One time step 
corresponds to one data frame of the controller in which all 
control laws are calculated. The measurement matrix H(k) is 
one-dimensional and will be unity since the control law 
calculation is defined as the state variable and can therefore 
be measured directly. The process noise and measurement 
noise sequences are assumed to be independent, zero-mean 
Gaussian, and white. The deterministic quantities that must 


Figure 1. Strategy for monitoring calculations 
in critical control computers. 




be evaluated for the Kalman filter design are the state 
transition matrix F(k) and the input matrix G(k). The 
stochastic quantities that must be determined for the 
Kalman filter design are the process noise scaling matrix 
Q(k), the process noise covariance Q(k), and the 
measurement noise covariance R(k). Since the control 
law calculation in the flight control computer is not 
implemented in the form of equations (1) and (2), 
obtaining the parameter matrices associated with the state 
model results in a parameter identification problem. 

Parameter identification methods and algorithms 
have been widely available in the literature for many 
years. In this paper a least-squares regression will be 
used to yield a good approximation to the correct control 
law calculation. The deterministic quantities of the 
model, namely state transition matrix F(k) and input 
matrix G(k), are obtained using the least-squares 
estimation. More sophisticated parameter identification 
methods may be employed in future work as necessary to 
improve performance of the detector. 

Section 3 presents the method used to generate 
system parameters of the model that are required in the 
Kalman filter. Section 4 contains examples of modeling 
and estimation strategies using these methods for the 
elevator, throttle, and aileron commands of a B737 
Autoland control system simulation. Since the control 
laws are decoupled in the B737 Autoland, it is assumed 
that these commands can be modeled separately. 

3 . Modeling and Kalman Filter Design 

A design strategy that uses least-squares 
regression to generate model parameters for the design of 
Kalman filters is shown in this section. The initial state 
equation is modeled in continuous time and then 
discretized to reflect the command cycle time of the 
control computer under test. Evaluation of alternative 
control computers could, therefore, be accomplished by 
discretizing the continuous-time calculation models to 
reflect the corresponding command cycle times. For 
simplicity, it is assumed that the model is time-invariant 
over an interval of interest. The general form of the 
continuous-time deterministic time-invariant model 
assumed for the control law calculation of the control 
computer over the interval of interest is: 

x(t) = Ax(t) + Bu(t) (3) 

where: 

x(t) = control command for continuous-time model 
x(t) = ti me derivative of the control command 
u(t) = input vector to the computer 


A = system matrix 

B = input matrix for continuous-time model 


Data values for the control command and input vector are 
obtained from a B737 computer simulation. The parameters 
A and B can be determined using the least-squares estimation 
[7], which is given by: 

0 = (X T X) 4 X T Y (4) 

where: 

Y = x(t) 

X = [x(t) u(t)] 

The vector X is the regression vector, and 0 is the parameter 
vector that contains the model parameter A as its first element 
and B as the vector of remaining elements. The discrete 
model is obtained from the continuous model using a 
sampling time that corresponds to the time increment 
between data points, associated with the command cycle of 
the control computer. The form of the discrete model is: 

x(k + 1) = Fx(k) + Gu(k) (5) 

where: x(k) is the control command for the discrete-time 
model and u(k) is the corresponding input vector. 

Once the deterministic elements, F and G, are 
determined, the Kalman filter can be designed for estimating 
the command generated by the critical control computer. The 
stochastic elements of the Kalman filter equations are 
determined using modeling error information. The modeling 
error is calculated to be the difference between the command 
specified by the model in equation 5 and the actual command 
generated by the simulation at each frame. 

4 . Example: Design for B737 Autoland Control 
Laws 

A B737 SIMULINK Autoland Simulator was used 
to generate the data used in these examples. Each simulation 
run consisted of the landing of the aircraft in light clear air 
turbulence (wind gust intensities of two feet/second) [4], 
Each landing has the same initial conditions, with a wind 
velocity of twenty knots from a 45 degree NE direction. 
Plots of the control commands from a single simulation run 
are shown in Figures 2-4. The irregularity in the command 
plots is caused by compensation for the clear air turbulence to 
which the aircraft is subjected. For a given simulation run, 
data was saved every frame during the landing from 
glideslope engaged until flare. For each of the three control 
laws (elevator, throttle, and aileron), the data saved at each 



frame for a single run consists of the control command 
value in degrees, and the values of the inputs to the 
calculation of that control command. The inputs to each 
of the control command calculations are listed in Table 1. 
Data for each of the three control laws was saved for fifty 
different simulation runs. Since the algorithms and 
methods used to create a mathematical model and design 
a Kalman filter are identical for each of the control laws, 
the generic process used is described here, and the results 
for each of the control laws are shown separately below. 

The data from the first run was arbitrarily used to 
calculate the model parameters. Using the least-squares 
regression given by equation 4 on the entire data set for 
the first run, F and G values were determined. The 
sampling time for the discrete models was 50 ms to agree 
with the data frame rate of the simulation which generated 
the data. In the case of all three control laws, the least- 
squares regression applied to the complete data set from 
glideslope to flare did not yield a single acceptable model 
that accurately generated the command as calculated by 
the simulator. Thus for each control command, the entire 
block of data was divided into sub-blocks, and a separate 
set of model parameters was calculated for each sub- 
block, the result being a set of sub-models for each 
control command. From this point on in the discussion, it 
is understood that for each control law, there is actually a 
set of sub-models, and a separate value for the system 
parameters, F and G, for each sub-model. 

The model command then was calculated for 
each frame of every run. The model command is the 
control command calculated according to equation 5, 
using the calculated model parameters and the simulator 
input values. The model error, which is the difference 
between the control command generated by the simulator 
and the model command, was then calculated. For each 
run, the variance of the model error was calculated. For 
the design of the Kalman filter, the covariance of the 
process noise Q was set equal to the mean of the model 
error variance over the fifty runs. Since it is assumed that 
the measurement error will be small, the measurement 
noise covariance R was set equal to QxlO 4 . Note that 
there is a distinct Q and R calculated for each sub-model. 
The value for Q was set equal to one in all cases. The 
initial state for the Kalman filter was set to the trim value 
for the control command, and the initial covariance was 
set equal to one. The throttle generated six sub-models; 
the sub-model parameters, F and G, and process noise 
covariance, Q, for the throttle are shown in Tables 2 and 
3, respectively. 

Next a Kalman filter was applied to the data in 
each of the fifty runs in order to estimate the control 
command value. The estimation error was calculated for 
each frame for each run as the difference between the 
value estimated by the filter and the control command 
value generated by the simulator. Next the mean and 
variance of the estimation error were calculated for each 
of the fifty runs; the fifty points representing those values 


are shown in Figures 5-7. Each scatter plot contains one 
point represented by a triangle rather than an asterisk. That 
point is considered to be a worst case run because it 
contained either the largest mean or the largest variance for 
the estimation error. Plots of the estimation error over 
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Figure 2. Elevator Command for One Simulation 



Figure 3. Throttle Command for One Simulation 
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Figure 4. Aileron Command for One Simulation 


all frames for the specified worst case runs are shown in 
Figures 8-10, respectively. The maximum absolute mean, 
variance, and absolute estimation error for each control 
command over all fifty runs are shown in Table 4. 


Table 1. Inputs to Control Command Calculations 


Table 4. Estimation Error Over Fifty Runs 


Command 

Maximum 
1 Mean 1 

Maximum 

Variance 

Maximum 
1 Maximum 1 

Elevator 

.00037 

.000107 

.37466 

Throttle 

.00034 

.000097 

.07634 

Aileron 

.00042 

.000095 

.19810 
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Elevator 

Throttle 

ground speed 

engine pressure ratio 

rate of climb/descent 

calibrated airspeed(Cas) 

vertical acceleration 

true airspeed 

pitch rate 

ground acceleration 

scaled glide slope error 

roll angle 

wheel height above ground 

Aileron 

roll angle 

roll error signal 

Cas variable gain 

roll rate 


aileron cross feed yaw 


Cas variable gain 


Table 2. Throttle System Parameters 


F 

G ! 

0.9995 

0.0473 

0.0515 

- 0.0509 

- 0.0733 

0.0026 

0.9345 

2.5668 

- 0.0561 

0.0404 

- 0.0891 

0.0011 

0.9657 

- 1.2461 

- 0.1234 

0.1379 

- 0.1031 

- 0.0874 

0.9537 

1.7381 

- 0.0477 

0.0370 

- 0.0637 

- 0.0066 

0.9884 

0.7779 

0.0234 

- 0.0289 

- 0.0572 

0.0028 

0.9718 

1.4090 

0.0055 

- 0.0149 

- 0.0661 

0.0014 


Figure 5. Elevator: Mean and Variance of Estimation 
Error 
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Figure 6. Throttle: Mean and Variance of Estimation 
Error 


Table 3. Throttle Process Noise Covariance 


Q 

3.3650 

0.5538 

3.2231 

1.0995 

0.4320 

0.1330 
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Figure 7. Aileron: Mean and Variance of Estimation 
Error 



Figure 10. Aileron: Worst Case Estimation Error 


5. Conclusions and Future Work 



Figure 8. Elevator: Worst Case Estimation Error 



Figure 9. Throttle: Worst Case Estimation Error 


A very simple method for modeling and Kalman 
filter design has been developed to estimate correct control 
law calculations in a flight control computer. The estimates 
are for use in detecting control law calculation errors during 
tests when the computer is subjected to disturbances caused 
by electromagnetic fields. The modeling method involves the 
use of least-squares estimation to obtain model parameters for 
the control command. Modeling errors are corrected in the 
Kalman filter estimates by representing the modeling error as 
process noise in the filter design. The method was 
demonstrated by developing models and Kalman filter 
designs for the elevator, throttle, and aileron control laws of a 
B737 Autoland control system for the light clear air 
turbulence case. The one-step-ahead Kalman filter 
predictions of the elevator, throtte, and aileron commands 
yielded worst case estimation errors as shown in Table 4. 
Future plans include the refinement and revision of the 
modeling and state estimation techniques based partly on the 
results of tests of the detection monitor which makes use of 
the models and Kalman filters generated using the methods 
described above. It is anticipated that this strategy may be 
applied to the cases of medium and heavy clear air 
turbulence, and also to data generated by an actual flight 
control computer. 
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